I’m currently doing a simple research on Windows XP registry.
I took several registry files from a new Windows XP SP2 system. They are :
- default
- sam
- security
- software
- system
- userdiff and
- ntuser.dat
To copy those files, I need to take the machine offline. My gentle reader, if you have a better way to do that, please let me know.
For the first experiment, I try to process the sam file. This file is very interesting because of its content.
I just load that sam file in RegRipper, and wait for one or two minutes until the process is done :
And here is the report file. I’ve omitted several information for brevity :
User Information
-------------------------
Username : Administrator [500]
Full Name :
User Comment : Built-in account for administering the computer/domain
Last Login Date : Sat Aug 2 05:15:00 2008 Z
Pwd Reset Date : Tue Feb 26 18:13:25 2008 Z
Pwd Fail Date : Mon Aug 4 01:30:56 2008 Z
Login Count : 11
--> Password does not expire
--> Normal user account
Username : SUPPORT_388945a0 [1002]
Full Name : CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
User Comment : This is a vendor's account for the Help and Support Service
Last Login Date : Thu Jan 1 00:00:00 1970 Z
Pwd Reset Date : Sun Apr 30 07:12:37 2006 Z
Pwd Fail Date : Mon Jun 16 05:57:37 2008 Z
Login Count : 0
--> Password does not expire
--> Account Disabled
--> Normal user account
Username : ASPNET [1003]
Full Name : ASP.NET Machine Account
User Comment : Account used for running the ASP.NET worker process (aspnet_wp.exe)
Last Login Date : Thu Jan 1 00:00:00 1970 Z
Pwd Reset Date : Sun Apr 30 07:30:41 2006 Z
Pwd Fail Date : Mon Jun 16 05:57:36 2008 Z
Login Count : 0
--> Password does not expire
--> Password not required
--> Normal user account
Username : HelpAssistant [1004]
Full Name : Remote Desktop Help Assistant Account
User Comment : Account for Providing Remote Assistance
Last Login Date : Thu Jan 1 00:00:00 1970 Z
Pwd Reset Date : Tue Feb 26 18:13:19 2008 Z
Pwd Fail Date : Mon Jun 16 05:57:37 2008 Z
Login Count : 0
--> Password does not expire
--> Account Disabled
--> Normal user account
-------------------------
Group Membership Information
-------------------------
Group Name : Power Users [0]
LastWrite : Sun Apr 30 00:03:39 2006 Z
Group Comment : Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications
Users : None
Group Name : Remote Desktop Users [0]
LastWrite : Sun Apr 30 00:03:40 2006 Z
Group Comment : Members in this group are granted the right to logon remotely
Users : None
Group Name : Backup Operators [0]
LastWrite : Sun Apr 30 00:03:39 2006 Z
Group Comment : Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
Users : None
Group Name : Administrators [5]
LastWrite : Thu Jun 19 01:57:35 2008 Z
Group Comment : Administrators have complete and unrestricted access to the computer/domain
Users :
S-1-5-21-1114226921-1517632708-2302219701-500
S-1-5-21-1114226921-1517632708-2302219701-1005
S-1-5-21-448539723-162531612-725345543-3248
S-1-5-21-448539723-162531612-725345543-512
S-1-5-21-448539723-162531612-725345543-2429
Wow…a lot of information can be gained from one sam file.
Thanks to keydet89 for developing RegRipper and release it as opensource.
*nice research mas :)
i think KPK “www.kpk.go.id” need you to take more information from gov corrupt laptop :)
may i call mr.antasari ashar to follow-up ?… he³
I agree with ciluuk.. Go on sir… lumayan untuk peng-hidup-an 1 tahun ke depan..